News 07/03/24

DORA Update: develop ICT risk management framework

The Dutch Authority for the Financial Markets (AFM) has issued its third publication explaining the key aspects of the Digital Operational Resilience Act (DORA). This edition focuses on ICT risk management. By paying careful attention to ICT risk management, organisations gain an understanding of their ICT risks and how to minimise the related effects. This will help in enhancing the digital resilience of companies.

DORA has been in force since January 2023. DORA is a European regulation that aims to ensure that financial firms have better control of IT risks and are thus more resilient to cyber threats.

Resilience

To strengthen resilience against cyber threats and ICT disruptions, the Regulation details several requirements in the area of ICT, including with regard to ICT risk management. Companies are already able to analyse their compliance with the DORA requirements in this respect and take action, if needed. Effective ICT risk management helps organisations detect and manage ICT risks in a structured way. The requirements are set out in Chapter II (Articles 5 to 16) of the Regulation as well as in the RTS on ICT Risk Management. This DORA Update deals in detail with, among other things, the ICT risk management framework, Business Continuity Management (BCM) and employee learning and evolving in relation to ICT security and digital operational resilience.

Supervision of the Regulation

Firms have until January 2025 to comply with the Regulation. After that, DORA will officially enter into force and the AFM and DNB will supervise the Regulation. Some firms are already subject to DORA-related requirements under existing laws and regulations.